[Snort-users] Re: [tcpdump-workers] Unknow packet
guy at ...4602...
Wed Jan 16 14:44:06 EST 2002
> I have been experimenting with writing a sniffer in Perl. While testing the
> script I received the packet below. The ScrMac is of my layer3 switch and I
> do not know the DestMAC. This has me worried.
It's a Cisco Discovery Protocol packet, and the destination MAC is a
multicast MAC rather than a unicast MAC (CDP packets are multicast), so
it won't be the MAC address of *any* of the machines on your network (or
of any machine anywhere on the planet).
> I have tried Analyzer,
> Ethereal, Optimal, and Tcpdump but they drop the packet for some reason
> (this is an assumption; I never see the packet in their output).
There is no reason why Ethereal or tcpdump would drop that packet,
unless they were run with a capture filter that would exclude CDP
packets. Perhaps the packet gets lost somewhere else, but if your
sniffer is using libpcap/WinPcap, it gets the same stuff that Analyzer,
Ethereal, and tcpdump/WinDump would get when run on the same machine, if
you capture on the same interface using the same packet filter.
More information about the Snort-users